Data Processing Addendum

This Data Processing Addendum (“Addendum”) amends the Shop Circle Terms and Conditions and Privacy Policy (“Agreement”) by and between Shop Circle Ltd, One Kingdom Street, Paddington Central, London - W2 6BD, United Kingdom (“Shop Circle”) and the customer entity that is the party to the Agreement (“Customer”). 


  1. DEFINITIONS

1.1. Agreement means Shop Circle Terms and Conditions and Privacy Policy, or other written or electronic agreement, which govern the provision of the service to Customer.


1.2. Customer Data means any personal data that Shop Circle processes on behalf of Customer.


1.3. Data Protection Laws means all applicable worldwide legislation relating to data protection and privacy which applies to the respective party in the role of processing Personal Data in question under the Agreement, including without limitation, the CCPA and the data protection and privacy laws of Canada, Australia and Brazil.


1.4. European Data Protection Laws means all data protection laws and regulations applicable to Europe including General Data Protection Regulation (GDPR).


1.5. Europe means, for the purpose of this document, the European Economic Area (EEA) and its member states, Switzerland and the United Kingdom.


1.6. The terms “personal data”“controller”“data subject”“processor” and “processing” shall have the meaning given to them under applicable Data Protection Laws. 


1.7. Sensitive Data means any information that falls within the definition of “special categories of data” under applicable Data Protection Laws, including social security number, genetic, biometric or health information, racial, ethnic, political or religious affiliation, criminal record. 


1.8. Sub-processor means any processor engaged by Shop Circle or its affiliates to assist in fulfilling its obligations with respect to providing the service pursuant to the Agreement or this Ammendum.


1.9. Security Incident means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, or alteration of, or unauthorized disclosure of or access to, Customer Data on systems managed or otherwise controlled by Shop Circle.



  1. ROLES AND RESPONSIBILITIES

2.1. If European Data Protection Laws apply to either party’s processing of Customer Data, the parties acknowledge and agree that with regard to the processing of Customer Data, Shop Circle is a processor acting on behalf of Customer (whether itself a controller or a processor). This addendum will not apply to instances where Shop Circle is the controller.


2.2. Shop Circle will process Customer Data as further described in Annex A of this Ammendum. Customer will not provide any Sensitive Data to Shop Circle for processing under this Ammendum, and Shop Circle will have no liability whatsoever for Sensitive Data in any case. 


2.3. Customer will ensure that Shop Circle's processing of the Customer Data in accordance with Customer’s instructions will not cause Shop Circle to violate any applicable law, regulation, or rule, including, Data Protection Laws. Where Customer acts as a processor on behalf of a third-party controller, Customer warrants that its processing instructions, including its authorizations to Shop Circle for the appointment of Sub-processors in accordance with this Ammendum, have been authorized by the relevant controller. Customer shall serve as the sole point of contact for Shop Circle and Shop Circle will not interact directly with any third-party controller.


  1. SUB-PROCESSING

3.1. Customer agrees that Shop Circle may engage Sub-processors to process Customer Data on Customer’s behalf. The Sub-processors currently engaged by Shop Circle and authorized by Customer are HulkApps, Ltd, India; Shopify Inc, Canada and its affiliates;


3.2. Shop Circle will enter into a written agreement with each Sub-processor containing data protection obligations, to the extent practicable, no less protective than those in this Addendum or as may otherwise be required by applicable Data Protection Laws and regulations. Shop Circle agrees to be responsible for the acts or omissions of each such Sub-processor to the same extent as Shop Circle would be liable if performing the services of such Sub-processor under the terms of the Addendum.


3.3. Shop Circle will inform Customer of any new Sub-processor engaged during the term of the Agreement by updating the Sub-processor list (stated in 3.1.). If Customer reasonably believes that the appointment of a new Sub-processor will have a material adverse effect on Shop Circle's ability to comply with applicable Data Protection Laws and regulations, then Customer must notify Shop Circle in writing, within 30 days following the update to the Sub-processor list.


3.4. Customer acknowledges and agrees that, where applicable, Shop Circle may be prevented from disclosing Sub-processor agreements to Customer due to confidentiality restrictions but Shop Circle shall, upon request, use reasonable efforts to provide Customer with all relevant information it reasonably can in connection with Sub-processor agreements.


  1. SECURITY

4.1. Shop Circle shall implement and maintain appropriate technical and organizational security measures that are designed to protect Customer Data from Security Incidents and designed to preserve the security and confidentiality of Customer Data.


4.2. Shop Circle shall ensure that any person who is authorized by Shop Circle to process Customer Data (including its staff, agents, and subcontractors) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).


4.3. Shop Circle agrees to implement appropriate technical and organizational measures designed to protect Customer Data. Those measures include physical security, regular backups, etc.


4.4. Upon becoming aware of a Security Incident, Shop Circle shall: a) notify Customer without undue delay, and where feasible, in any event no later than 48 hours from becoming aware of the Security Incident; b) provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by Customer; c) promptly take reasonable steps to contain and investigate any Security Incident. Shop Circle's notification of or response to a Security Incident shall not be construed as an acknowledgment by Shop Circle of any fault or liability with respect to the Security Incident.


4.5. Customer is responsible for its secure use of the Service, including, if applicable, securing its account authentication credentials, protecting the security of Customer Data when in transit to and from the Service, and taking any appropriate steps to securely encrypt or backup any Customer Data uploaded to the Service.


  1. SECURITY REPORTS 

5.1. Shop Circle shall make available to Customer all information reasonably necessary to demonstrate compliance with this Addendum.


  1. INTERNATIONAL TRANSFERS

6.1. Customer acknowledges that Shop Circle may transfer and process Customer Data anywhere in the world where Shop Circle, its affiliates or its Sub-processors maintain data processing operations. Shop Circle shall at all times ensure that such transfers are made in compliance with the requirements of Data Protection Laws and this Ammendum.


  1. DELETION OF DATA

7.1. Upon termination or expiration of the Agreement, Shop Circle shall delete or return to Customer all Customer Data (including copies) in its possession or control, except that this requirement shall not apply to the extent Shop Circle is required by applicable law to retain some or all of the Customer Data.


7.2. When Customer requests deletion of Customer Data that Shop Circle collects to Shopify and Shopify notify Shop Circle via webhooks (the process is described on https://shopify.dev/apps/webhooks/configuration/mandatory-webhooks), Shop Circle shall promptly confirm their receipt of the request and complete the action within 30 days of receipt (unless Shop Circle is legally required the retain the data). We have implemented the following webhooks: Data Requests, Customer Data Redaction and Shop Data Redaction. 


  1. DATA SUBJECT RIGHTS AND COOPERATION

8.1. Shop Circle shall, considering the nature of the processing, provide reasonable assistance to Customer to the extent possible to enable Customer (or its third-party controller) to comply with its data protection obligations with respect to data subject rights under Data Protection Laws. In the event that any such request is made to Shop Circle directly, Shop Circle shall not respond to such communication directly except as appropriate (for example, to direct the data subject to contact Customer) or legally required, without Customer’s prior authorization. If Shop Circle is required to respond to such a request, Shop Circle shall, where the Customer is identified or identifiable from the request, promptly notify Customer and provide Customer with a copy of the request unless Shop Circle is legally prohibited from doing so. 


8.2. To the extent required under applicable Data Protection Laws, Shop Circle shall (considering the nature of the processing and the information available) provide all reasonably requested information regarding the Service to enable Customer to carry out data protection impact assessments or prior consultations with data protection authorities as required by Data Protection Laws. 


8.3. Shop Circle does not voluntarily provide government agencies or authorities (including law enforcement) with access to or information about Customer Data. If Shop Circle receives a compulsory request (whether through a subpoena, court order, search warrant, or other valid legal process) from any government agency or authority (including law enforcement) for access to or information about Customer Data belonging to a Customer whose primary contact information indicates the Customer is located in Europe, Shop Circle shall: a) review the legality of the request; b) inform the government agency that Shop Circle is a processor of the data; c) attempt to redirect the agency to request the data directly from Customer; d) notify Customer via email sent to Customer’s primary contact email address of the request to allow Customer to seek a protective order or other appropriate remedy; and e) provide the minimum amount of information permissible when responding to the agency or authority based on a reasonable interpretation of the request. 


  1. GENERAL

9.1  Any claims made against Shop Circle or its affiliates under or in connection with this Addendum shall be brought solely by the Customer entity that is a party to the Agreement.


9.2. This Addendum shall remain in effect for as long as Shop Circle carries out Customer Data processing operations on behalf of Customer or until termination of the Agreement.


9.3. In the event of any conflict or inconsistency between this Addendum and the Agreement, the provisions of this Addendum will prevail.


ANNEX A


Categories of data subjects: The categories of data subjects whose personal data is processed include, but not limited to, Customer’s end users.


Categories of personal data: Customer may upload, submit, or otherwise provide certain personal data to the Service, the extent of which is typically determined and controlled by Customer in its sole discretion, and may include the following types of personal data: name, address, phone number and e-mail.


Frequency of processing: Continuous and as determined by Customer.


Subject matter and nature of the processing: The subject matter of the data processing under this Addendum is the Customer Data. Customer Data will be processed in accordance with the Agreement (including this Addendum) and may be subject to the following processing activities:

  1. Storage and other processing necessary to provide, maintain and improve the service provided to Customer pursuant to the Agreement; and/or
  2. Disclosures in accordance with the Agreement and/or as compelled by applicable law.

Purpose of the processing: Shop Circle shall only process Customer Data for the permitted purposes, which shall include: a) processing as necessary to provide the service in accordance with the Agreement; b) processing initiated by Customer in its use of the Service; and c) processing to comply with any other reasonable instructions provided by Customer (e.g., via email or support tickets) that are consistent with the terms of the Agreement.


Duration of processing and period for which personal data will be retained: As described in Section 7.



Effective, September 2024